Re: [Bitcoin-development] limits of network hacking/netsplits (was: Discovery/addr packets)
I really beg to differ on this one. If you're an Ubuntu user who is behind only one distro (quantal) you're stuck on version 0.6.2 with no updates since 2012 (yes, that means on May 15th you'll be lost). For those still on Debian Squeeze (ie barely out of date), you get 0.3.24! Yes, 0.3.24 including every issue we've fixed since (https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures) and bitcoin is not available in wheezy. Those are just the two I bothered to look up, but, additionally, nearly every distro I know of links bitcoin against libdb5.1 (latest Ubuntu, Arch, etc) which means wallets run once with those packages will never be usable an official Bitcoin build ever again. I can't necessarily fault them for this since 4.8 is quite old, but its certainly not doing mostly a pretty good job Matt On Mon, 2013-05-06 at 23:48 -0500, Petr Praus wrote: I think it's worth noting that quite a large portion of Linux users probably get the mainline Bitcoin client from the packages. I think Bitcoin package maintainers are doing mostly a pretty good job :) -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
[Bitcoin-development] limits of network hacking/netsplits (was: Discovery/addr packets)
On Mon, May 06, 2013 at 11:25:50AM -0700, Gregory Maxwell wrote: On Mon, May 6, 2013 at 11:04 AM, Adam Back a...@cypherspace.org wrote: bitcoins primaryvulnerability IMO (so far) is network attacks to induce network splits, local lower difficulty to a point that a local and artificially isolated area of the network can be fooled into accepting an orphan branch as the one-true block chain, It currently costs about 2016*25*$120 = six million dollars to reduce the difficulty in your isolated fork by a factor of 4. Well I take your point that you have to produce 2016 blocks, but at a lower rate. But that doesnt directly translate into my cost, I am thinking pure network hacking. Maybe I could hack a pool to co-opt it into my netsplit and do the work for me, or segment enough of the network to have some miners in it, and they do the work. I am just thinking $500k/day worth of relatively perfect crime reward is a lot of motivation for hacking networks. Many routers home and even carrier are vulnerable to people armed with cisco source code 0-days. The netsplit doesnt have to be geographical, nor even topological, nor even particularly long-lived. If you control enough people's network routing at a low enough level, you dont even have to stop transactions, nor do any mining work, just stop blocks from the netsplit crossing over, and hold that position for say a day (if your netsplit has 1/24 of network hash rate in it, so the split gets 6 confirmations to reassure the victims) and let the miners do the work. Do enough transactions to do a big cash out (spend differently on the two netsplits). Obviously a big and human inattentive pool, dark-miner etc is the ideal target to put into the netsplit to increase the power while controlling less nodes. Malware could do the same thing for clients, dont forget most are running windows. Malware could also start a miner if none present. maybe even from node first install time. Protecting against that— making sure any such attack has to start from a high difficulty— is, in my opinion, the biggest continued justification for checkpoints. Do you know if there is any downwards limit on difficulty? I know it takes going slow for a long and noticeable time, but I am just curious on the theoretical limit. (btw I notice most of the binaries and tar balls are not signed, nor served from SSL - at least for linux). They are signed. I dont see the signatures. http://bitcoin.org/en/download I see no signatures for linux and none in the tarball. There are some public keys inside the tarball, thats it. Also no SSL. sourceforge support SSL so you can download that. But bitcoin.org doesnt even answer 443, and the source forge link is HTTP. But even if the sourceforge link was SSL one should not serve an SSL download link from an HTTP page, any more than type a password into an HTTPS form action on an HTTP page. The attacker can just redirect and the user doesnt know what is legitimate. Consequently even if there is code signing on the windows exe, the user doesnt know that, nor who they should be signed by, and as they are served via HTTP, its bypassable. I guess by far the easiest way to attack right now (at least linux users) is just to change the binaries to create a user operated netsplit, or just have all their wallets empty to you via a mix once the amount gets interesting. (All attacks hypothetical of course - I'm actually a white-hat type of person). Adam -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] limits of network hacking/netsplits (was: Discovery/addr packets)
On Mon, May 6, 2013 at 3:51 PM, Adam Back a...@cypherspace.org wrote: Maybe I could hack a pool to co-opt it into my netsplit and do the work for me, or segment enough of the network to have some miners in it, and they do the work. Or you can just let it mine honestly and take the Bitcoins. This is fast (doesn't require weeks of them somehow not noticing that they're isolated), and yields the values I listed as 'costs' if you would have otherwise been able to use it to mine the difficulty down to 1. Cost is just as much foregone income from the alternative attack you could have done instead. nor even topological, nor even particularly long-lived. At least for attacks that drive the difficulty down it does. If you want to talk about abusing a pool or creating a partition in order to create short reorgs— I agree, those don't have to be long lived and you can find many messages where I've written on that subject. It's inconsiderate to propose one attack and when I respond to it changing the attack out from under me. :( I would have responded entirely differently if you'd proposed people segmenting the network and creating short reorgs instead of mining the difficulty down. Do you know if there is any downwards limit on difficulty? I know it takes going slow for a long and noticeable time, but I am just curious on the theoretical limit. Every 2016 blocks can at most lower the difficulty by a factor of 4, thats where the log4 (number of 2016 groups needed) and 4^n (factor in cost reduction for each group) come from in the formulas I gave previously. I dont see the signatures. http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.1/SHA256SUMS.asc/download The signatures can't be inside the tarball because they sign the tarball. Seems like the website redesign managed to hide the signatures pretty good. They're in the release announcements in any case, but that should be fixed. Even when they were prominently placed, practically no one checked them. As a result they are mostly security theater in practice :(, — so— unfortunately, is SSL: there are many CA's who will give anyone a cert with your name on it who can give them a couple hundred bucks and MITM HTTP (not HTTPS!) between the CA's authentication server and your webserver. Bitcoin.org is hosted by github, even if it had SSL and even if the CA infrastructure weren't a joke, the number of ways to compromise that hosting enviroment would IMO make SSL mostly a false sense of security. The gpg signatures and gitian downloader signatures provide good security if actually used, solving the getting people to use them problem is an open question. And I agree, this stuff is a bigger issue than many other things like mining the difficulty down. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development